Wednesday, February 24, 2016

Doing some node.js stuff with ADFS and I needed the token signing key as a cer file.

With automatic rollover, the certificate is not in the normal certificate store (the one you get at via mmc). Inside the ADFS wizard, you can't right click / export.

I'd just written a forum answer about getting the token signing certificate private key (which is not possible with automatic rollover) which "confused" me and I couldn't figure out how to get the .cer file.

Try and reduce the number of claims e.g. sending specific groups; not all of them

Use SAML artifact resolution

In artifact resolution, the token just contains an artifact which is a key to the actual claim. You then send the artifact back via a SOAP back channel and get the set of claims.

Or you could use a variation of this which is to send a limited set of claims; enough for most purposes. For the times when you need the extra claims, you could e.g. use the Microsoft Graph API in Azure to get the others.

Yes - that basically defeats the whole purpose of claims but sometimes it's a case of any port in a storm!

This supports WS-Fed, SAML and OpenIDConnect / OAuth 2.0. It's developed by Microsoft. Unfortunately, it was developed on Express 3 whereas the latest download is Express 4. A lot has changed and this release does not currently work on Express 4.

Wednesday, February 03, 2016

If you've ever looked at Auth0, you'll know that it's basically a circle that handles all the protocols and conversions and all applications and IDP's have one connection to the circle. Anyone can connect to anything.

You can come in with OpenID Connect and a JWT token and exit with SAMLp and a SAML token.

The same kind of thing happens with Azure AD where you have a federated tenant using ADFS for the authentication.

The user accesses a .NET application that uses the OWIN OpenID Connect stack to connect to AAD.